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In the Claims: 

L (Original) A method for intrusion detection of network traffic comprising: 

storing a data file comprising data defining one or more signature definition and one 
or more parameters and associated values; 

generating, for each of the one or more signature definitions, an inspector instance 
based on the data file; and 

executing, for each of the one or more signature definitions, the generated inspector 
instance to detect network traffic matching the signature definition. 

2. (Original) The method of Claim 1, and further comprising: 

storing a user data file comprising signature definitions, each modified signature 
definition comprising a signature identifier associating the modified signature definition with 
a corresponding signature definition stored in the data file; and 

generating, for each of the modified signature definitions, a revised inspector instance 
based on the modified signature definition and the corresponding generated inspector 
instance. 

3. (Original) The method of Claim 1, wherein the data file comprises, for 
each signature definition, data comprising: 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the signature. 

4. (Original) The method of Claim 1, wherein each signature definition is 
stored in a separate line of the data file. 

5. (Original) The method of Claim 2, wherein the one or more modified 
signature definitions comprises modified values for associated modified parameters and no 
values indicative of the parameters in the corresponding signature definition that are not 
modified. 
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6. (Original) The method of Claim 1, wherein the data file comprises a file 
received from a sensor provider. 

7. (Original) The method of Claim 1, wherein the data file comprises a file 
generated by a user. 

8. (Original) The method of Claim 1, wherein receiving the data file 
comprises receiving the data file at a sensor configuration handler. 

9. (Original) The method of Claim 1 5 and further comprising receiving 
configuration data from a user and storing the received configuration data in a user data file. 

10. (Original) The method of Claim 1, and further comprising: 

storing a user data file comprising one or more user-defined signature definitions, 
each user-defined signature definition comprising a signature identifier not associated with 
any of the signature definitions in the data file; and 

generating, for each of the user-defined signature definitions, an inspector instance 
based on the user-defined signature. 

1 1 . (Original) A method for use in intrusion detection comprising: 
storing a default signature file defining one or more default signatures; 
storing a customized signature file defining one or more custom signatures; 
automatically generating, for each of the one or more signatures defined in the default 

signature file, executable code operable to detect intrusions associated with the default 
signature; and 

automatically generating, for each of the custom signatures, executable code operable 
to detect intrusions associated with the custom signature. 

12. (Currently Amended) The method of Claim JLi 4r0, wherein storing a 
customized signature file comprises storing modifications of one or more of the default 
signatures. 
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13. (Currently Amended) The method of Claim H W, wherein automatically 
generating, for each of the one or more custom signatures comprises automatically 
generating, for each custom signature, executable code operable to detect intrusions 
associated with the custom signature based on the generated executable code of an associated 
default signature. 

14. (Original) The method of Claim 11, wherein the one or more custom 
signatures comprises modifications of the default signatures. 

15. (Original) The method of Claim 11, wherein generating, for each of the 
one or more default signatures, comprises generating executable code associated with the 
default signature based on an inspector shell. 

16. (Original) The method of Claim 15, wherein the executable code 
associated with the default signature is operable to compare a plurality of parameter values to 
a plurality of parameter values defined by the default signature. 

17. (Original) The method of Claim 11, wherein the default signature file 
comprises, for each default signature; 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the default 
signature. 

18. (Original) The method of Claim 11, wherein the custom signature file 
comprises, for each signature: 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the default 
signature. 
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19. (Original) A method for use in intrusion detection comprising: 
providing a sensor having a plurality of defined signatures; 

communicating to the sensor a desire to create a modified signature from a signature 
to be modified; 

receiving from the sensor data indicative of parameters and associated values for the 
signature to be modified; and 

providing to the sensor a modified value for at least one of the parameters to create a 
modified signature. 

20. (Original) The method of Claim 19, and further comprising storing data 
associated with the modified signature in the sensor at a location separate from the associated 
unmodified signature. 

21. (Original) The method of Claim 20, and further comprising storing in the 
sensor the name, signature identification number, and one or more parameters and associated 
values for only the modified values for the modified signature. 

22. (Original) The method of Claim 19, and further comprising 
communicating to the sensor the name of an engine associated with the signature to be 
modified. 

23. (Original) The method of Claim 20, wherein storing data associated with 
the modified signature comprises storing a plurality of parameter names and associated 
values. 

24. (Original) The method of Claim 19, and further comprising selecting a 
signature to be modified from the plurality of defined signatures. 

25. (Original) The method of Claim 22, and further comprising receiving a 
list indicative of all defined signatures associated with the engine. 
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26. (Original) The method of Claim 19, wherein providing a sensor having a 
plurality of defined signatures comprises providing a sensor having a default data file 
defining the defined signatures. 

27. (Original) The method of Claim 26, and further comprising updating the 
default file. 

28. (Original) A system for intrusion detection comprising: 

a sensor for detecting possible network intrusions, the sensor comprising: 

one or more engine groups each associated with one or more network 
detection engines; and 

a configuration handler comprising: 

a default signature file storing one or more signature definitions 
defining one or more respective default signatures for use by the sensor; and 

a user signature file storing a plurality of user-defined signatures for 

use by the sensor; and 

wherein each network detection engine is operable to generate an executable 
code based on either one of the stored default signatures or one of the stored user-defined 
signatures, the executable code operable to detect a network intrusion defined by the 
associated user-defined signature or the associated default signature. 

29. (Original) The system of Claim 28, wherein the configuration handler 
further comprising stored modifications to the default signatures. 

30. (Original) The system of Claim 29, wherein the stored modifications are 
stored in the user signature file. 

31. (Original) The system of Claim 28, wherein the configuration handler 
further comprises a user interface operable to: 

receive an identification of a signature to be modified; 

provide a list of parameters and associated values for the signature to be modified; 
receive revised values for one or more of the parameters; and 
write a revised signature to the user-defined data file. 
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32. (Original) The system of Claim 28, wherein the configuration handler 
further comprises a user interface operable to: 

provide a list of possible parameters for a particular engine; 

receive a plurality of values for one or more of the parameters to define a user-defined 
signature associated with the engine; and parameters; and 

write a user-defined signature to the user signature file. 

33. (Original) The system of Claim 28, wherein the configuration handler 
further comprises a reader and dispatcher operable to read data from the default signature file 
and user signature file and transmit the read data to the one or more engine groups. 

34. (Original) The system of Claim 28, and further comprising a management 
console associated with the sensor and operable to communicate configuration data to the 
configuration handler and receive configuration help information from the configuration 
handler 

35. (Currently Amended) A system for intrusion detection, comprising: 
a sensor for detecting possible network intrusions, the sensor comprising: 

at least one engine; and 

a means for storing default signatures with parameter-value pairs associated 
with the default signatures and an engine parameter and an associated name for the 
engine parameter and user-defined signatures with parameter-value pairs associated 
with the user-defined signatures and an engine parameter and an associated name for 
the engine parameter for defining signatures to be detected by the at least one engine. 
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36. (Currently Amended) A method for use in intrusion detection of network 
traffic comprising: 

storing in a memory a signature definition associated with a signature to be detected, 
the signature definitions comprising: 

an engine parameter and an associated name for the engine parameter; 
an identifier for the signature; and 

one or more parameter-value pairs associated with the signature, each 
parameter-value pair comprising a parameter name and associated parameter value; 
and 

determining, based on the signature definition, the values that associated parameters 
of network traffic must take to meet the signature. 

37. (Original) The method of Claim 36, and further comprising storing a 
plurality of signature definitions in a data file, each signature definition on a different line of 
the data file. 

38. (Cancelled) 

39. (Original) The method of Claim 36, wherein each signature definition 
further comprises an identification parameter preceding the signature identifier. 



